Microsoft partners with FBI to take down nefarious botnet

Microsoft didn’t wait long after unveiling its state-of-the-art cybercrime center to make a calculated strike against online scam artists. The new facility, based on the company campus in Redmond, Wash., is already collaborating with law enforcement agencies worldwide to disrupt the sprawling and insidious ZeroAccess botnet—which not incidentally represents a grave threat to Microsoft customers and the tech giant itself.

ZeroAccess, sometimes identified as max++ or Sirefef, has harnessed the processing power of as many as 2.2 million enslaved PCs to carry out Bitcoin mining operations and other moneymaking schemes. Victims are tricked, in a variety of ways, into downloading a Trojan rootkit, which not only allows for further infiltration of a device but cleverly conceals any evidence of a malware attack, ensuring continued access.

Security blogger Brian Krebs wrote about how the botnet was recently tweaked so that infected computers would participate in so-called click fraud, “the practice of fraudulently generating clicks on ads without any intention of fruitfully interacting with the advertiser’s site.” That activity costs online advertisers as much as $2.7 million a month—so while the security and privacy of Microsoft Windows users are certainly compromised, ZeroAccess is bad for business across the board.

Working closely with the FBI, the cybercrime divisions of Europol and several European countries, and other industry players including A10 Networks—a sure indication of the increasingly cozy relationship between government and private tech, at least where their interests align—Microsoft filed a civil suit against eight individuals believed to be operating the ZeroAccess botnet. The company was also authorized “to simultaneously block incoming and outgoing communications between computers located in the U.S. and the 18 identified Internet Protocol (IP) addresses being used to commit the fraudulent schemes,” according to Europol.

So far, it’s been hard to gauge the impact of these moves, and it’s not as though the infected computers will be suddenly “cured.” As Krebs explained, the damage was done to “servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers.” That may significantly slow the spread of malware; stopping it altogether would be a more difficult matter.

The problem, according to Dell SecureWorks researcher Brett Stone-Gross, who has studied the resilience of malicious botnets in detail, is that ZeroAccess and similar entities are built to withstand such a blow. With a peer-to-peer network that scraps any point of failure to keep the rest of the botnet active, the operators can release a new plugin “to restart their click fraud and search engine hijacking activities,” he said.

Indeed, in response to the disruption the criminals swiftly uploaded a template identified as “zooclicker” to the millions of still-infected PCs and got their click-fraud scheme humming again—but it didn’t last, and the servers went down soon after. The next configuration files to appear carried the text “WHITE FLAG,” though there’s no telling if the surrender is permanent or even a simple feint. One gets the feeling, rather, that this war has just begun.